cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From emilSverige <>
Subject Signing an MTOM attachment only, not the entire message
Date Thu, 26 Nov 2009 12:39:32 GMT

Hi, I want to sign an MTOM attachment only, not the soap message. I am aware
that the WSS4J-interceptor doesn't sign the attachment, so I'm trying to do
it in plain java instead.

Please note that the soap message should be unsigned, only the attachment
should be signed.

So far I have managed to sign an attachment and save it to disk, then read
it and send with cxf. No problem, but I would like to get rid of the "save
to disk" part since it seems unnecessary.

Unfortunately though, I don't know how to. I have no idea how a Datahandler
can handle a  DeferredDocumentImpl. Any help is appreciated!

This is the code that signs, saves to disk, reads from disk and prepares the

 * @param fileInputStream The data to sign
 * @return A signed document
DeferredDocumentImpl createSignedDocument(FileInputStream fileInputStream){
		// Create a DOM XMLSignatureFactory that will be used to generate the
		// enveloped signature
		XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
		// Create a Reference to the enveloped document (in this case we are
		// signing the whole document, so a URI of "" signifies that) and
		// also specify the SHA1 digest algorithm and the ENVELOPED Transform.
		Reference ref = fac.newReference("", fac.newDigestMethod(
				DigestMethod.SHA1, null), Collections.singletonList(fac
				(TransformParameterSpec) null)), null, null);
		// Create the SignedInfo
		SignedInfo si = fac
				(C14NMethodParameterSpec) null), fac
				.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
		KeyStore keystore = KeyStore.getInstance("JKS");
		keystore.load(new FileInputStream("myKeystore.jks"),
		PrivateKey privateKey = (PrivateKey)keystore.getKey( "MyAlias",
		KeyStore.PasswordProtection password = new
		KeyStore.PrivateKeyEntry thePrivKeyEntry = (KeyStore.PrivateKeyEntry)
keystore.getEntry("myAlias", password);
		X509Certificate cert = (X509Certificate) thePrivKeyEntry.getCertificate();
		// Create the KeyInfo containing the X509Data.
		KeyInfoFactory kif = fac.getKeyInfoFactory();
		List x509Content = new ArrayList();
		X509Data xd = kif.newX509Data(x509Content);
		KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
		// Instantiate the document to be signed
		DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
		Document doc = dbf.newDocumentBuilder().parse(fileInputStream);
		// Create a DOMSignContext and specify the DSA PrivateKey and
		// location of the resulting XMLSignature's parent element
		DOMSignContext dsc = new DOMSignContext(privateKey, doc
		// Create the XMLSignature (but don't sign it yet)
		XMLSignature signature = fac.newXMLSignature(si, ki);
		// Marshal, generate (and sign) the enveloped signature
		return doc;

public void sendAnAttachmentWithSignature(){
	// Sign the dokument
	DeferredDocumentImpl signedDoc = new XmlSign().createSignedDocument( new
FileInputStream("a_file.xml") );
	// Save it to disk
	OutputStream os = new FileOutputStream( "a_signed_file.xml" );
			TransformerFactory tf = TransformerFactory.newInstance();
			Transformer trans = tf.newTransformer();
			trans.transform(new DOMSource(signedDoc ), new StreamResult(os));
	// Create a DataHandler to attach to the web service klient
	DataHandler dh = new DataHandler( 
					new FileDataSource(
					new File("a_signed_file.xml" )) );
	// Add the datahandler to the request object
	WebServiceRequest req = new WebServiceRequest();
	req.setData( dh );
	// Then send the request...
View this message in context:
Sent from the cxf-user mailing list archive at

View raw message